Fritch84
asked on
Remote login failure
Hi All,
I have recently enforced a new password policy in SBS 2003 requiring users to change their passwords. This worked fine without a glitch at our local site, but we have some remote users connecting via VPN who are getting login failure alerts showing up on the server, presumably after just changing their passwords.
What is weird though is in the event ID logs it is showing a different name than our domain name next to the failed audit log. Because they have strenuously assured me that they haven't changed the domain name and I can't verify it, I'm just wondering if it is at all possible that this could be anything other than an incorrect domain name entry? And if possible, why would it be displayed incorrectly in the audit logs?
Logon Failure:
Reason: Unknown user name or bad password
User Name: bshort
Domain: ASI-BRIAN
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: ASISERVER
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 11172
Transited Services: -
Source Network Address: 217.165.94.157
Source Port: 2350
I have recently enforced a new password policy in SBS 2003 requiring users to change their passwords. This worked fine without a glitch at our local site, but we have some remote users connecting via VPN who are getting login failure alerts showing up on the server, presumably after just changing their passwords.
What is weird though is in the event ID logs it is showing a different name than our domain name next to the failed audit log. Because they have strenuously assured me that they haven't changed the domain name and I can't verify it, I'm just wondering if it is at all possible that this could be anything other than an incorrect domain name entry? And if possible, why would it be displayed incorrectly in the audit logs?
Logon Failure:
Reason: Unknown user name or bad password
User Name: bshort
Domain: ASI-BRIAN
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: ASISERVER
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 11172
Transited Services: -
Source Network Address: 217.165.94.157
Source Port: 2350
can you ask the user to attempt to login DOMAINNAME\Username?
ASKER
Well they won't come on for another 6 hours or so (different time zones). I'll definitely request that they try that.
Another weird thing is that I've been able to use their credentials to connect and it works fine for me. I'm really hoping this is just a simple case of user error - their Internet was down at their site for some time (unrelated) so it's possible they tried to manipulate settings to try to connect.
Does it make sense that there's something other than our real domain name listed in the event log next to the domain entry?
Another weird thing is that I've been able to use their credentials to connect and it works fine for me. I'm really hoping this is just a simple case of user error - their Internet was down at their site for some time (unrelated) so it's possible they tried to manipulate settings to try to connect.
Does it make sense that there's something other than our real domain name listed in the event log next to the domain entry?
i totally agree Fritch. If the creds work on your machine than its more than likely user error.
ASKER
Thanks for the reassurance. He sounded so adament that no other changes were made - but the incorrect logs and the fact it works for me completely contradicted him. I was just wondering if this issue could occur from anything else that I enforced in the group policy. I'll see how it goes this afternoon and let you know.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.